Enter and verify a new VCS password. Click “Change Password” to save the password.

To configure a new GitHub repository hosted in Phabricator with HTTP authentication, follow these steps:

Click the Phabricator logo in the top navigation bar.

Select the “Diffusion” tab in the left navigation menu.

On the resulting page, click the “Create repository” link in the top right corner.

Create a new hosted repository by selecting the repository type - in this case, Git.

Enter a human-readable name for the repository and an internal “callsign”.

On the repository details page, select the “Policies” menu item and define the access policies for the repository by specifying which groups can view, edit and push to it.

On the repository details page, choose the “Activate Repository” option to create your repository and confirm activation in the resulting dialog.

If all goes well, your repository will be created. You can select the “Status” menu item to confirm. You should see a success page like the one below.

Browse to the “URIs” page from the repository details page to obtain the repository clone URL.

Using SSH authentication

Step 1: Add a Special VCS User Account

Phabricator needs a user account that repository users will connect over SSH as. You must first create this user account and give it a few tweaks to work with Phabricator. In this guide, the user account is called vcs-user, although you can use a different user name if you wish (but if you do so, remember to update it in all the commands shown below).

Follow the steps below:

Log in to your server console as usual.

Create the new user account.

$ sudo adduser vcs-user

Give the user the same privileges as the daemon user, which is the user the Phabricator daemons run as by default in the Bitnami Phabricator Stack. Execute the command below:

Edit the /etc/shadow file and within the file, find the line for the new vcs-user account and replace the password field (the second field) with the letters NP, as shown in the image below.

Step 2: Configure Phabricator

Next, you must set two important configuration variables in Phabricator. The phd.user variable defines the name of the user the daemons run as, while the diffusion.ssh-user variable sets the name of the user for SSH connections.

Step 3: Open a New Firewall Port For SSH

Phabricator uses a highly restricted version of SSH running on port 22. Therefore, before you can use SSH authentication with Phabricator, you must move your existing SSH server to a different port, such as port 222, so that you can continue to log in to the server console for other tasks. Refer to the FAQ for more information on opening port 222.

Step 4: Test SSH Access on the New Port

Next, run a separate instance of the SSH server on port 222 and verify that you can log in, before transferring it permanently. This is an important step to ensure that you do not inadvertently get locked out of your server.

Log in to your server console as usual.

Run the following command to create a necessary SSH key:

$ sudo ssh-keygen -t ed25519 -f /etc/ssh/ssh_host_ed25519_key -N ''

Run the following command to start the SSH server on port 222:

$ sudo /usr/sbin/sshd -f /etc/ssh/sshd_config -p 222

This will run a separate instance of the SSH server on port 222. You should now try logging in to the server console, remembering to specify the port number as 222. If you are able to successfully log in, proceed to the next section below.

Step 5: Move Your SSH Server to the New Port

The steps below will permanently transfer your SSH server to run on port 222.

Log in to your server console as usual.

Edit the SSH server configuration file at /etc/ssh/sshd_config:

$ sudo vi /etc/ssh/sshd_config

Within the file, find the line containing the Port directive and update it to use port 222, as below:

Port 222

Save the file.

Restart the SSH server.

$ sudo service ssh restart

You should now try logging in to the server console again, remembering to specify the port number as 222. If you are able to successfully log in, proceed to the next section.

Step 6: Start Phabricator’s Restricted SSH Server

The steps below will start Phabricator’s restricted SSH server on the original SSH port, port 22.

Log in to your server console as usual.

Copy the /opt/bitnami/apps/phabricator/htdocs/resources/sshd/phabricator-ssh-hook.sh file to the /usr/share directory.

It is also necessary to make the PHP binary available in the default path for the vcs-user account. Use the following command to create the necessary link.

$ sudo ln -s /opt/bitnami/php/bin/php /usr/bin/php

Step 7: Add Public Keys to Phabricator

This is a good time to add your users’ public SSH keys to Phabricator so that they can authenticate themselves over SSH. To do this, follow the steps below:

Log in to Phabricator as an administrator.

Click the settings icon in the top navigation bar, next to the logout icon.

Select the “Personal Account Settings” menu item.

On the resulting page, select the “Authentication -> SSH Public Keys” menu item.

Select the “SSH Key Actions -> Upload Public Key” menu item.

Enter the name and content of the public key.

Click “Upload Public Key” to save the new public key to the system.

Repeat the last three steps for each user to be authenticated over SSH.

Step 8: Test SSH Authentication

You can now run a quick test to see if everything is working correctly. To do this:

Log in to the server console as one of the users whose public key you just uploaded.

Execute the following command:

$ echo {} | ssh vcs-user@localhost conduit conduit.ping

If everything is correctly configured, the server response should look like the example below:

{"result":"my-hostname","error_code":null,"error_info":null}

If you see a different response, see the Troubleshooting section below.

Step 9: Configure a Self-Hosted Repository with SSH Authentication

To configure a new GitHub repository hosted in Phabricator with SSH authentication, follow these steps:

Click the Phabricator logo in the top navigation bar.

Select the “Diffusion” tab in the left navigation menu.

On the resulting page, click the “Create repository” link in the top right corner.

Create a new hosted repository by selecting the repository type - in this case, Git.

Enter a human-readable name for the repository and an internal “callsign”.

On the repository details page, select the “Policies” menu item and define the access policies for the repository by specifying which groups can view, edit and push to it.

On the repository details page, choose the “Activate Repository” option to create your repository and confirm activation in the resulting dialog.

If all goes well, your repository will be created. You can select the “Status” menu item to confirm. You should see a success page like the one below.

To obtain the repository clone URL, access the repository detail page from the “Diffusion” tab, which contains the complete clone URL.

Users whose public keys are stored in Phabricator should now be able to clone the repository using a command like:

$ git clone clone-url

Troubleshooting

The quickest way to troubleshoot authentication issues is to run Phabricator’s restricted SSH server in debug mode and view the error log it generates. To do this, first ensure it is not running (or kill the existing running process) and then replace the last command in Step 6 with this one:

$ sudo /usr/sbin/sshd -d -d -d -f /etc/ssh/sshd_config.phabricator &

This will start Phabricator’s SSH server in debug mode and display a running log of error messages on the console. You can now test SSH access as described in Step 8 and watch the log to access more detailed error information. Common errors include incorrect key file permissions, invalid file paths in configuration files or missing binaries.